Monday, July 24, 2017

In this series of
posts, I’m going through the Open Security Training for beginning Assembly Language and thus am putting my
own spin on things to enhance my knowledge of x86 disassembly. However, to make
the most of these tutorials you may be better of reviewing the material from Open Security Training directly.

Let’s get started!

Here is the code to help us:

/*

* This file focuses on learning the basics of
memcpy

* The objective is to get a better understanding of
how these are disassembled in C

As always, the disassemble codes
starts off with the function prologue “push ebp” and
“mov ebp,esp”. To learn more about function prologue and epilogue, see
this post.

Next instruction states “sub esp,20h”.
This means 32 bytes is being allocated on the stack for our two variables.
These are the “char mySrc[]” and “char myDst[]”. Before executing this
instruction, let’s take a look at our registers …

If we were to subtract the current
value of ESP “0019FEE4” from
the value of EBP “0019FF04” , we
will get a value of “0x20” which is basically 32 bytes. This represents the
space allocated for the two variables.

Moving along to the next instruction
“mov eax,dword ptr ds:[00404000h]”. When we take at the data segment “00404000h”
we see the following:

As we can see from above, the value
in the EAX registers matches that of our memory print out above.

Our next instruction “mov dword ptr
[ebp-10h],eax” now takes our EAX value and puts it into “[ebp-10h]”. Basically
we are taking our 4 bytes EAX value and placing it into the space allocated for
“mySrc”.

From the above printout of the
registers we know that “EBP = 0019FF04”. Hence as we look at our stack, we
see that ”[ebp-10h]” contains “”

0x0019FEE4 00401490 ..@. – [EBP-32]

0x0019FEE8 00000001 .... – [EBP-28]

0x0019FEEC 00000001 .... – [EBP-24]

0x0019FEF0 0019fefc üþ.. – [EBP-20]

0x0019FEF4 004011f3 ó.@. –
[EBP-16]

0x0019FEF8 00000000 .... – [EBP-12]

0x0019FEFC 0019ff10 .ÿ.. – [EBP-8]

0x0019FF00 0f1456e5 åV.. – [EBP-4]

0x0019FF04 0019ff18 .ÿ - EBP

After execution of the instruction,
we see the ”[ebp-10h]” now contains the value “EAX = 75636573” which is in EAX regiser.

0x0019FEE4 00401490 ..@. – [EBP-32]

0x0019FEE8 00000001 .... – [EBP-28]

0x0019FEEC 00000001 .... – [EBP-24]

0x0019FEF0 0019fefc üþ.. – [EBP-20]

0x0019FEF4 75636573 secu – [EBP-16]

0x0019FEF8 00000000 .... – [EBP-12]

0x0019FEFC 0019ff10 .ÿ.. – [EBP-8]

0x0019FF00 0f1456e5 åV.. – [EBP-4]

0x0019FF04 0019ff18 .ÿ - EBP

Our next instruction “mov ecx,dword
ptr ds:[00404004h]” then takes the next 4 bytes within our string and place
that into the ECX register.

Looking at our registers above we
see “ECX = 00000001”. After executing the instruction,
we see the registers showing …

Next instruction “mov dword ptr
[ebp-0Ch],ecx” says to now take value in ECX and place it at [ebp-0Ch], which
is basically [EBP-12]. As we can see above, [ebp-0Ch] is below [EBP-16].

0x0019FEE4 00401490 ..@. – [EBP-32]

0x0019FEE8 00000001 .... – [EBP-28]

0x0019FEEC 00000001 .... – [EBP-24]

0x0019FEF0 0019fefc üþ.. – [EBP-20]

0x0019FEF4 75636573 secu – [EBP-16]

0x0019FEF8 79746972 rity – [EBP-12]

0x0019FEFC 0019ff10 .ÿ.. – [EBP-8]

0x0019FF00 0f1456e5 åV.. – [EBP-4]

0x0019FF04 0019ff18 .ÿ - EBP

Looking at above, we can see our
string is being chunked into 4 bytes pieces and placed unto the stack.

Executing the next instruction “mov edx,dword
ptr ds:[00404008h]” says to move the value at the memory address “00404008h”
into the EDX register. Above we see the “EDX = 0040447C”. After execution of the
instruction, and the printout of the registers, we see …

Similar to the two previous instructions, the next
instruction “mov dword ptr [ebp-8],edx” moves the value in EDX to [ebp-8].
After execution, we see the following …

0x0019FEE4 00401490 ..@. – [EBP-32]

0x0019FEE8 00000001 .... – [EBP-28]

0x0019FEEC 00000001 .... – [EBP-24]

0x0019FEF0 0019fefc üþ.. – [EBP-20]

0x0019FEF4 75636573 secu – [EBP-16]

0x0019FEF8 79746972 rity – [EBP-12]

0x0019FEFC 0019ff10 .ÿ.. – [EBP-8]

0x0019FF00 0f1456e5 åV.. – [EBP-4]

0x0019FF04 0019ff18 .ÿ - EBP

Looking at above, we can see our
string is being chunked into 4 bytes pieces and placed unto the stack.

Executing the next instruction “mov edx,dword
ptr ds:[00404008h]” says to move the value at the memory address “00404008h”
into the EDX register. Above we see the “EDX = 0040447C”. After execution of the
instruction, and the printout of the registers, we see …

Similar to the two previous instructions, the next
instruction “mov dword ptr [ebp-8],edx” moves the value in EDX to [ebp-8].
After execution, we see the following …

0x0019FEE4 00401490 ..@. – [EBP-32]

0x0019FEE8 00000001 .... – [EBP-28]

0x0019FEEC 00000001 .... – [EBP-24]

0x0019FEF0 0019fefc üþ.. – [EBP-20]

0x0019FEF4 75636573 secu – [EBP-16]

0x0019FEF8 79746972 rity – [EBP-12]

0x0019FEFC 2e6b696e nik. – [EBP-8]

0x0019FF00 0f1456e5 åV.. – [EBP-4]0x0019FF04 0019ff18 .ÿ - EBP

Yet again another move instruction. The instruction
“mov eax,dword ptr ds:[0040400Ch]”. This instruction moves the value at memory
address “0040400Ch” and places it into the EAX register. From what we have been
doing so far at this point we should know this is the last 4 bytes of our
string “securitynik.com”. from above we see “EAX = 75636573”. After
execution, we see the registers containing …

Now that the value has been moved to the EAX
register, executing the next instruction “mov dword ptr [ebp-4],eax” moves the
value in eax to our stack thus building out our string “securitynik.com”.
Looking at the stack after execution we see …

0x0019FEE4 00401490 ..@. – [EBP-32]

0x0019FEE8 00000001 .... – [EBP-28]

0x0019FEEC 00000001 .... – [EBP-24]

0x0019FEF0 0019fefc üþ.. – [EBP-20]

0x0019FEF4 75636573 secu – [EBP-16]

0x0019FEF8 79746972 rity – [EBP-12]

0x0019FEFC 2e6b696e nik. – [EBP-8]

0x0019FF00 006d6f63 com. – [EBP-4]

0x0019FF04 0019ff18 .ÿ - EBP

At this point we have completed building out our
string on our stack for the variable “mySrc”

Since we have occupied the first 16
bytes after the EBP for “mySrc”, the next 16 bytes is for the “myDst” variable.

Looking at the “printf()” statement
…

… we see the first instruction “lea ecx,[ebp-20h]”.
This loads the effective address for [ebp-20h], which is EBP-32 in decimal. As
we look above, the value at “ebp-20h” is at address “0x0019FEE4”. Hence after execution, this value
is placed in the ECX register as shown below.

Once again, there is a push
instruction “push edx” which now pushes the value of EDX unto the stack. As we
know this value is the same as our previous push. Looking at our stack after
the push we see …

0x0019FEDC 0019fee4 äþ.. – ESP now points here

0x0019FEE0 0019fee4 äþ..

0x0019FEE4 00401490 ..@.

0x0019FEE8 00000001 ....

0x0019FEEC 00000001 ....

0x0019FEF0 0019fefc üþ..

0x0019FEF4 75636573 secu

0x0019FEF8 79746972 rity

0x0019FEFC 2e6b696e nik.

0x0019FF00 006d6f63 com.0x0019FF04 0019ff18 .ÿ..

The next instruction “lea eax,[ebp-10h]”
loads the address at “[ebp-10h]” which is basically [ebp-16] in decimal “0x0019FEF4 which is also the “mySrc” variable which also points to the beginning of our
string “securitynik.com”.

The next instruction “push eax” now
pushes the value in the EAX register, unto the stack. After execution, when we
look at the stack, we see …

0x0019FED8
0019fef4 ôþ.. – ESP now points here

0x0019FEDC 0019fee4 äþ..

0x0019FEE0 0019fee4 äþ..

0x0019FEE4 00401490 ..@.

0x0019FEE8 00000001 ....

0x0019FEEC 00000001 ....

0x0019FEF0 0019fefc üþ..

0x0019FEF4 75636573 secu

0x0019FEF8 79746972 rity

0x0019FEFC 2e6b696e nik.

0x0019FF00 006d6f63 com.

0x0019FF04 0019ff18 .ÿ..

Next instruction states “lea ecx,[ebp-10h]”,
which once again loads the address of “mySrc”. However, this time it stores the
value in the ECX register. After execution, we see the registers look as
follows …

The next instruction “push ecx” now
pushes the value in “ecx” unto the top of the stack. Looking at the stack after
execution of the instruction we see …

0x0019FED4 0019fef4 ôþ.. – ESP now points here

0x0019FED8 0019fef4 ôþ..

0x0019FEDC 0019fee4 äþ..

0x0019FEE0 0019fee4 äþ..

0x0019FEE4 00401490 ..@.

0x0019FEE8 00000001 ....

0x0019FEEC 00000001 ....

0x0019FEF0 0019fefc üþ..

0x0019FEF4 75636573 secu

0x0019FEF8 79746972 rity

0x0019FEFC 2e6b696e nik.

0x0019FF00 006d6f63 com.

0x0019FF04 0019ff18 .ÿ..

At this point, we have pushed the
arguments for “printf()” unto the stack in the following order:
“myDst”, “&myDst”, “mySrc”, “&mySrc”. Notice the values were pushed in
the reverse order unto the stack.

Our next instruction “push 404010h”,
pushes the address of the string in printf() unto the stack. If we take a look
at the address “404010h”, we see our string …

0x00404010 65425b20 [Be

0x00404014 65726f66 fore

0x00404018 6d654d20 Mem

0x0040401C 5d797063 cpy]

0x00404020 0a207c20 | .

Now that we have push all the
arguments and the pointer to our string unto the stack, the next instruction “call
004010D0” calls the printf() function leveraging the arguments and string from
the stack.

Since the objective is not to
analyze the printf() function, I will now “step over” the instruction “call 004010D0”

Our next instruction “add esp,14h”
basically adds 20 bytes to the stack, thus cleaning up the space which was used
for the pushing the arguments and its string unto the stack.

At this time I’m ignoring the
following instruction:

push 40406Ch

0040104A call
004010D0

0040104F add
esp,4

Which is related to printing the
line “-=-=-=-=-=-||-=-=-=-=-=-\n”

Time to take a quick basic look at “memcpy”
changing the location of items in memory.

The first instruction “push 10h”
says to push the value 16 unto the stack. This is basically our argument “sizeof(myDst)”

After executing the instruction
“push 10h” the stack looks like

0x0019FEE0
00000010 .... – ESP now points here

0x0019FEE4 00401490 ..@.

0x0019FEE8 00000001 ....

0x0019FEEC 00000001 ....

0x0019FEF0 0019fefc üþ..

0x0019FEF4 75636573 secu

0x0019FEF8 79746972 rity

0x0019FEFC 2e6b696e nik.

0x0019FF00 006d6f63 com.

0x0019FF04 0019ff18 .ÿ..

Our next instruction “lea edx,[ebp-10h]”
says to take the address at “[EBP-16]” decimal which is “0x0019FEF4” and places it in the “edx”
register. After execution, when we look at the registers we see …

The next instruction “push edx” now
pushes the value in EDX register unto the stack. This value is basically the
beginning address to our string on the stack which is our second argument for
memcpy “mySrc”. Looking at our stack after execution we see …

0x0019FEDC 0019fef4 ôþ.. - ESP now points here

0x0019FEE0 00000010 ....

0x0019FEE4 00401490 ..@.

0x0019FEE8 00000001 ....

0x0019FEEC 00000001 ....

0x0019FEF0 0019fefc üþ..

0x0019FEF4 75636573 secu

0x0019FEF8 79746972 rity

0x0019FEFC 2e6b696e nik.

0x0019FF00 006d6f63 com.0x0019FF04 0019ff18 .ÿ..

The next instruction “lea eax,[ebp-20h]”
takes the address of our third “memcpy” argument “myDst” and loads it into the “eax”
register. After execution our registers show …

Below is a list of threat intelligence websites that you can use. Cymon.io is an excellent one as it searches around 200 different sources. If you’re looking for a more exhaustive list of threat intel sites, check out https://github.com/rshipp/awesome-malware-analysis